VRF issue

adergah · ‎12-16-2017

Hello everyone,

I have a problem due to VRF issue. If anyone can find me a solution I would appreciate it. I am sending my current configuration in brief to check:

vrf definition PENS_MSG_OPS

rd 2:2

route-target export 2:2

route-target import 2:2

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

vrf definition PENS_MSG_TEST

rd 3:3

route-target export 3:3

route-target import 3:3

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

interface Loopback2

vrf forwarding PENS_MSG_OPS

ip address 57.235.248.67 255.255.255.255

!

interface Loopback3

vrf forwarding PENS_MSG_TEST

ip address 57.235.248.70 255.255.255.255

!

interface GigabitEthernet0/0/0

description to_DHMI_BACKUP_ROUTER

ip address 10.26.1.1 255.255.255.252

no ip proxy-arp

negotiation auto

!

interface GigabitEthernet0/0/1

description to_DHMI_LAN

no ip address

negotiation auto

!

interface GigabitEthernet0/0/1.2

description PENS_MSG_OPS

encapsulation dot1Q 2

vrf forwarding PENS_MSG_OPS

ip address 57.235.205.177 255.255.255.240

standby version 2

standby 102 priority 255

standby 102 preempt delay minimum 20

standby 102 authentication md5 key-string 7dhmi

service-policy input input_match

!

interface GigabitEthernet0/0/1.3

description PENS_MSG_TEST

encapsulation dot1Q 3

vrf forwarding PENS_MSG_TEST

ip address 57.235.205.201 255.255.255.248

standby version 2

standby 152 priority 255

standby 152 preempt delay minimum 20

standby 152 authentication md5 key-string 7dhmi

service-policy input input_match

!

interface GigabitEthernet0/1/0

switchport access vlan 102

switchport trunk allowed vlan 102

switchport mode trunk

!

interface GigabitEthernet0/1/1

switchport access vlan 152

switchport trunk allowed vlan 152

switchport mode trunk

!

interface Vlan102

description PENS_MSG_OPS

vrf forwarding PENS_MSG_OPS

ip address 57.235.239.210 255.255.255.252

no ip proxy-arp

!

interface Vlan152

description PENS_MSG_TEST

vrf forwarding PENS_MSG_TEST

ip address 57.235.239.222 255.255.255.252

no ip proxy-arp

!

router bgp 64784

bgp router-id 57.235.239.210

bgp log-neighbor-changes

no bgp default ipv4-unicast

timers bgp 15 45

neighbor 10.26.1.2 remote-as 64784

!

address-family ipv4

neighbor 10.26.1.2 activate

neighbor 10.26.1.2 send-community extended

neighbor 10.26.1.2 next-hop-self

exit-address-family

!

address-family ipv4 vrf PENS_MSG_OPS

bgp router-id 57.235.239.210

network 57.235.205.176 mask 255.255.255.240

neighbor 57.235.239.209 remote-as 65000

neighbor 57.235.239.209 description OPS_MSG_VPN

neighbor 57.235.239.209 activate

neighbor 57.235.239.209 send-community extended

neighbor 57.235.239.209 prefix-list DHMI out

neighbor 57.235.239.209 route-map set_metric_50 out

exit-address-family

!

address-family ipv4 vrf PENS_MSG_TEST

bgp router-id 57.235.239.222

network 57.235.205.200 mask 255.255.255.248

neighbor 57.235.239.221 remote-as 65000

neighbor 57.235.239.221 description MSG_TEST

neighbor 57.235.239.221 activate

neighbor 57.235.239.221 send-community extended

neighbor 57.235.239.221 prefix-list DHMI out

neighbor 57.235.239.221 route-map set_metric_50 out

exit-address-family

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

!

ip as-path access-list 1 permit ^$

!

ip access-list extended qos_D1

permit tcp any any eq 8500

permit tcp any eq 8500 any

permit udp any any eq 8500

permit udp any eq 8500 any

ip access-list extended qos_D2

permit tcp any any eq 102

permit tcp any eq 102 any

permit udp any any eq 102

permit udp any eq 102 any

ip access-list extended qos_D3

permit ip any any

!

ip prefix-list DHMI seq 10 permit 57.235.205.176/28

ip prefix-list DHMI seq 20 permit 57.235.205.200/29

!

route-map set_metric_50 permit 10

set metric 50

So here is the explanation:

My gig 0/1/0 and gig 0/1/1 ports are connected to PE router and I am configuring the CE router. There is no problem on bgp I can ping vrf to the Interface of PE routers. What the problem is on my 0/0/1 port it will be connected to my local Lan. IP routes will further be added but what I am trying to do is I am giving my computer as the IP of 57.235.205.181/28 for example and I can ping the Routers interface of Gig 0/0/1.2 which is 57.235.205.177. However on the Router I can't ping to the address of computer. What is more surprising is I can't even ping to the it's own IP address on the router itself. When I remove the command Vrf forwarding PENS_MSG_OPS from subinterface 0/0/1.2 for example this time I can ping the computer but I can't ping the IP VRF on the PE router side from my router. What am I missing here? what kind of change should I make to ping both of them? If you can help me I will appreciate it. Thank you for your helps, have a nice weekend.

Georg Pauwen · ‎12-16-2017

Hello,

do you have the PE router config as well ?

adergah · ‎12-16-2017

Hello,

Unfortunately I don't have its configuration or access to PE routers. What I have is their Vlan number and IP address.

Georg Pauwen · ‎12-16-2017

Hello,

you might be missing a default route for the VRF, something like the route below:

ip route vrf PENS_MSG_OPS 0.0.0.0 0.0.0.0 GigabiEthernet0/0/1.2

adergah · ‎12-16-2017

Well, I tried but I can't enter a route like that it says the following:

For VPN or Topology routes, must specify a next hop IP address if not a point-to-point interface.

Any other possible solutions?

Georg Pauwen · ‎12-16-2017

Hello,

just to be sure: do you ping the VRF ?

R1#ping vrf PENS_MSG_OPS 57.235.205.181
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 57.235.205.181, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/12 ms

R1#ping vrf PENS_MSG_OPS 57.235.205.177
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 57.235.205.177, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

adergah · ‎12-16-2017

I can ping vrf PENS_MSG_OPS 57.235.205.177 and ping vrf PENS_MSG_OPS 57.235.239.209(PE Router) successfully.

I cant ping vrf PENS_MSG_OPS 57.235.205.181 my Lan side.

Georg Pauwen · ‎12-16-2017

Hello,

--> However on the Router I can't ping to the address of computer. What is more surprising is I can't even ping to the it's own IP address on the router itself. <--

I have labbed this in a rudimentary way...check the default gateway on your computer, make sure it is 57.235.205.177 and that the subnet mask /28 is correct. Is this a Windows PC ?

Also, your HSRP configuration looks incomplete, you do not have a standby IP address configured ?

adergah · ‎12-16-2017

Ip and Gateways are correct. It is a Windows PC, I have closed the Windows firewalls and I opened the acceptance of ICMP packets. Everything is normal on the PC side. Like I said I can ping from computer to Router, but I can't ping from Router to the computer. I checked with 3 different PC also, the same result.

About HSRP, you are correct I had configured that before I just changed the number of subinterface and forget configuration during the change I guess. I reconfigured thank you.

Georg Pauwen · ‎12-16-2017

Hello,

can you post the output of:

sh ip route vrf PENS_MSG_OPS

adergah · ‎12-16-2017

It is a long list:

Routing Table: PENS_MSG_OPS

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

57.0.0.0/8 is variably subnetted, 129 subnets, 5 masks

B 57.192.110.50/32 [20/50] via 57.235.239.209, 1d06h

B 57.192.110.51/32 [20/50] via 57.235.239.209, 1d06h

B 57.192.110.54/32 [20/50] via 57.235.239.209, 1d06h

B 57.192.110.55/32 [20/50] via 57.235.239.209, 1d06h

B 57.205.189.93/32 [20/50] via 57.235.239.209, 1d06h

B 57.215.83.90/32 [20/50] via 57.235.239.209, 1d06h

B 57.231.139.0/24 [20/50] via 57.235.239.209, 1d06h

B 57.235.200.16/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.200.112/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.201.0/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.201.48/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.201.96/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.201.144/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.203.16/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.203.64/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.203.112/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.203.208/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.204.0/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.204.48/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.204.96/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.204.240/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.205.80/28 [20/50] via 57.235.239.209, 1d06h

C 57.235.205.176/28 is directly connected, GigabitEthernet0/0/1.2

L 57.235.205.177/32 is directly connected, GigabitEthernet0/0/1.2

B 57.235.206.208/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.207.48/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.207.144/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.208.176/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.209.16/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.209.64/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.209.112/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.209.208/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.210.144/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.210.152/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.16/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.32/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.48/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.80/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.128/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.176/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.211.224/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.212.96/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.212.112/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.212.128/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.212.160/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.213.0/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.214.8/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.214.128/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.214.176/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.214.224/28 [20/50] via 57.235.239.209, 1d06h

B 57.235.231.80/30 [20/50] via 57.235.239.209, 1d06h

B 57.235.232.52/30 [20/50] via 57.235.239.209, 1d06h

B 57.235.232.56/30 [20/50] via 57.235.239.209, 1d06h

B 57.235.233.112/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.233.136/29 [20/50] via 57.235.239.209, 1d06h

B 57.235.236.184/30 [20/50] via 57.235.239.209, 1d06h

B 57.235.236.188/30 [20/50] via 57.235.239.209, 1d06h

C 57.235.239.208/30 is directly connected, Vlan102

L 57.235.239.210/32 is directly connected, Vlan102

B 57.235.247.1/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.5/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.9/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.14/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.19/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.23/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.27/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.32/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.37/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.41/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.45/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.50/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.55/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.59/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.63/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.68/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.73/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.77/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.81/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.86/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.99/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.103/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.107/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.111/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.115/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.119/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.123/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.127/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.131/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.135/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.139/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.143/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.155/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.163/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.168/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.173/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.177/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.181/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.185/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.189/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.193/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.197/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.201/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.205/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.209/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.213/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.217/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.223/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.227/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.241/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.245/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.247.249/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.1/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.5/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.9/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.19/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.21/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.24/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.26/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.51/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.53/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.64/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.66/32 [20/50] via 57.235.239.209, 1d06h

C 57.235.248.67/32 is directly connected, Loopback2

B 57.235.248.71/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.75/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.90/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.94/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.98/32 [20/50] via 57.235.239.209, 1d06h

B 57.235.248.100/32 [20/50] via 57.235.239.209, 1d06h

159.197.0.0/16 is variably subnetted, 2 subnets, 2 masks

B 159.197.60.192/27 [20/50] via 57.235.239.209, 1d06h

B 159.197.63.0/24 [20/50] via 57.235.239.209, 1d06h

172.20.0.0/32 is subnetted, 4 subnets

B 172.20.21.20 [20/50] via 57.235.239.209, 1d06h

B 172.20.21.21 [20/50] via 57.235.239.209, 1d06h

B 172.20.21.22 [20/50] via 57.235.239.209, 1d06h

B 172.20.21.23 [20/50] via 57.235.239.209, 1d06h

172.21.0.0/32 is subnetted, 1 subnets

B 172.21.8.152 [20/50] via 57.235.239.209, 1d06h

193.221.227.0/26 is subnetted, 1 subnets

B 193.221.227.0 [20/50] via 57.235.239.209, 1d06h

194.15.199.0/24 is variably subnetted, 2 subnets, 2 masks

B 194.15.199.0/28 [20/50] via 57.235.239.209, 1d06h

B 194.15.199.32/29 [20/50] via 57.235.239.209, 1d06h

B 194.49.222.0/24 [20/50] via 57.235.239.209, 1d06h

Georg Pauwen · ‎12-16-2017

Hello,

are you allowing VLAN 2 on the trunk that is connected to the router ? Can you post the switch config as well ?

adergah · ‎12-16-2017

Switch's configuration is as the following:

interface GigabitEthernet0/1

switchport access vlan 2

!

interface GigabitEthernet0/2

switchport access vlan 3

!

interface GigabitEthernet0/3

switchport trunk allowed vlan 2,3

switchport mode trunk

0/3 connected to router, 0/1 to the computer.

Georg Pauwen · ‎12-16-2017

Hello,

service-policy input input_match

Post the configuration of the corresponding policy map, input_match...

adergah · ‎12-16-2017

I deleted those parts:

class-map match-any D1

description FMTP

match access-group name qos_D1

class-map match-any D2

description AMHS

match access-group name qos_D2

class-map match-any D3

match any

!

policy-map input_match

class D1

class D2

class D3

!